OK, here's my latest take on it:
Valves/filters may be used for authentication, but Realms seem to be designed for it.
Valves/filters are newer than Realms, and are a bit more flexible. For example, you can use them for post-processing (AFTER the page executes).
My suggestion (if you can be flexible and just needs something simple) is to use the JDBCRealm that's "out of the box."
It's sort of a confusing issue because there's a lot of overlap in functionality.
If you're interested in understanding Valves a little better, my suggestion is to take a look at RequestFilterValve (and its subclasses, RemoteAddrValve and RemoteHostValve). These are pre-written filters whose use is explained at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/valve.html.
They give you an example of how filters work, BUT the problem I have with them is that they rely on information in the server.xml file. Changing it will require a re-start, which might be inappropriate in a production environment.
[ December 25, 2002: Message edited by: Michael Mendelson ]